[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't understand descriptions

Samuel Tran wrote:
>> You can use the objectClass in general, just by loading the schema file.
>> But the code patch that changes the behavior of the pwdAttribute 
>> attributeType resides in the ppolicy overlay. If you don't use the 
>> overlay, the patch does not take effect. It wasn't clear to me that it 
>> was a good idea to change the objectIdentifier syntax behavior for all 
>> of slapd, so the patch is specific to the pwdAttribute attributeType. It 
>> may be a topic for discussion on -devel, whether a global change is more 
>> appropriate.
> I saw the new functions you added in your patch.
> IMHO the EQUALITY objectIdentifierMatch should be satisfied regardless
> of whether the ppolicy is specified or not.
> In core.schema there is that attribute 'supportedApplicationContext'
> that uses the same equality constraint. I haven't used it. Does it mean
> that it won't understand description?

The larger issue here is that OIDs are not maintained in a single table 
in slapd. OIDs for AttributeTypes are recorded separately from OIDs for 
ObjectClasses, Syntaxes, Matching Rules, or any other protocol elements 
that have OIDs. While there is conceptually a single OID namespace, it 
is not implemented as a single namespace inside slapd. So a generic OID 
validator that accepts descriptors would need to look in many tables to 
validate a name.

The other issue is that descriptors aren't guaranteed to be unique. 
E.g., it's possible to have both an AttributeType and an ObjectClass 
with the same name. X.500/ASN.1 doesn't care about descriptor clashes as 
long as OIDs are unique, but this is a problem for LDAP.

The ppolicy patch works because I know that pwdAttribute will only be 
used with OIDs of AttributeTypes. In the general case, we can't make any 
such assumptions, and just searching for the first matching descriptor 
in a variety of tables may yield the wrong numeric OID. For your example 
'supportedApplicationContext' slapd doesn't have any notion of the 
namespace in which ApplicationContext descriptors are registered, so in 
that case the lookup would be futile anyway.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/